lkcl: Right you are. Except, we need to go
a bit further: the Unix kernels need to support SIDs. That
means throwing setuid() and friend out the window.

There will be a lot of resistance -- in fact, the idea does
not advance, someone has to implement it first (perhaps one
of the many "security enhanced" Linux versions out there,
such as the NSA's, implements this or a suitable framework
for implementing SIDs at the kernel level).

Of course, filesystems too need to support SIDs.

And the old flat UID/GID system has to remain available for
backwards compatibility.

In other words, processes need to have multi-component,
extensible credentials. And I say they need to have an array
of creds, with each thread (or clone()ed process) having an
"effective" cred array index.